Seeking the way forward (Harden Windows Security Module / AppControl Manager)

[teleportpast]

Hello,

I've reviewed the wiki, but it's easy to get lost in the explanations.

I suggest if both the "Harden Windows Security Module" and the "AppControl Manager" continue to coexist, to separate the two products into different projects or pages for better clarity. This is also problematic in issue tickets because it’s unclear which product the problem refers to. It is inconvenient that important commands are hidden on readme page, such as launching in GUI mode and the compliance score.

For those using a standard user account daily and running applications in administrator mode when needed, it’s frustrating not to have easy access to the "AppControl Manager" application from the standard Windows account.

Additionally, I couldn't find where to apply the 14 policies for disabling telemetry.

Thank you for your hard work on this project.

[HotCakeX]

Hi,
Thanks for the suggestions,

here is what i've done about them so far:

• Created 2 Labels, "AppControl Manager" and "Harden Windows Security". They have different colors and icons. I labeled all of the issues properly so you can quickly tell which issue belongs to which product.

Here is what i'm going to do:

• Label all of the past and future Pull Requests to make it clear which product they belong to.
• Updated the Readme's design and adjust it to give the AppControl Manager more visibility.

Additionally, I couldn't find where to apply the #479 (comment) for disabling telemetry.

As mentioned in the same comment you linked to they are in the Miscellaneous category. So please follow this link which will go to the exact position on the Readme, then scroll down a bit and you will see them.

For those using a standard user account daily and running applications in administrator mode when needed, it’s frustrating not to have easy access to the "AppControl Manager" application from the standard Windows account.

Many of the AppControl Manager's features work without Admin privileges too, but a lot of them inevitably require Admin privileges because it's a security application just like an antivirus, responsible for allowing/blocking which files or programs can be executed on your device. I do plan to perform more micro-management so that rather than setting entire pages to require Admin privileges, I will make specific features, such as buttons etc. accessible based on the current privilege (Admin or non-Admin).

About the Wiki I've tried to organize it so that you can use find documents for each product easily. It's not perfect and there is always more improvements and work that can be done.

So you can find all of the documentations for the Harden Windows Security module in here.

And of course at the top of the Wiki you can find AppControl Manager's title and all of its sub-items represent each feature in it.

When creating an issue on this repository, you have the option to select from a drop down menu which product the issue belongs to.

[teleportpast]

Hi,

Thanks for the update! I really appreciate you outlining what you’ve been working on. It’s great to see you've created labels for "AppControl Manager" and "Harden Windows Security," implemented proper issue labeling, and are planning to update the Readme for better visibility of the AppControl Manager and label pull requests.(Sorry for the extra work!)

Your point about needing administrator privileges for many of the AppControl Manager features is completely logical.

I was initially hoping that the telemetry settings would be included directly within either the Harden Windows Security Module or the AppControl Manager itself, making them easier to enable/disable. It was a bit disappointing to discover they require manual configuration through these separate Policy CSP configurations as you pointed out. It's more involved than I expected for personal use.

Even though I find the local Group Policy and Local Security Policy applications in Windows complicated to use, they're easier for me to understand and navigate. The downside is that changing rules one by one takes a long time, and I don’t have the same level of expertise as you do regarding all the available Windows policies. I think that for personal use, the "Harden Windows Security Module" will be more interesting. It would benefit from more polish within the available options in the "Protect" category, as well as more integrated explanations.

If you create a new tutorial video for the "Harden Windows Security Module" in the future, I think videos by DeAndre Queary have a good teaching method.

[HotCakeX]

To apply the telemetry configurations you simply need to check a box in the UI.

I will definitely make videos for it. Big changes are coming soon.

If you have more feature requests i'd like to know them. I know currently there are many limitations, i will address them all in the new app.

[teleportpast]

Suggestions for Harden Windows Security Module

Some thoughts and suggestions that might further enhance usability and flexibility for a wider range of users. Many of these suggestions aim to enhance the visibility of features already present in the module.

Overall Philosophy - User Control & Gradual Adoption

The main goal is to keep the advanced security features accessible and easy to use, while also giving users more granular control and understanding of what they're enabling or disabling. It wouldn't be ideal for most users to have every rule applied with just two clicks right off the bat. Even enthusiastic users can be overwhelmed by all the changes if they haven’t seen them before. Allowing users to modify individual rules (currently 292) would be really beneficial. It’s also important that users easily understand whether a rule should be active or disabled to ensure their system is properly hardened.

UI/UX Improvements:

• Consolidating “Protect” and “Confirm & Verify”: Perhaps merging these sections into a single view would simplify things? We could have a simplified view listing categories of hardening measures, alongside a detailed view showing all rules grouped by category.
• Rule Filtering: Three filters would significantly improve user navigation:
  • Recommended Rules
  • Rules Potentially Impacting Usage Habits
  • Rules Related to User Data Transmission to Microsoft or Third Parties
• Visual Cues for Existing Settings: When the application starts, existing rules should clearly indicate their current status (e.g., pre-checked boxes or different coloring). This makes it immediately obvious what's already configured.
• Bitlocker & ASR Rules Placement: Moving Bitlocker out of the "Protect" section and into its own dedicated area would make sense. Similarly, making the current state of ASR rules visible would be great.
• “Confirm & Verify” Enhancements: If this section remains, allowing users to modify the values in each line—ideally with accompanying information like the original Windows Group Policy text—would be incredibly useful. A copy/paste function for easier web searches related to those settings would also be a welcome addition.

Feature Considerations & Simplification:

• Cloud Data Sharing Concerns: I know Microsoft Defender offers excellent security analysis capabilities with cloud-based file submissions and SmartScreen. However, many users may simply prefer to rely on the built-in Windows Defender antivirus operating locally, without automatically sharing data with Microsoft or other third parties.
• Removing "Unprotect" & "File Reputation": To keep things relatively simple, consider removing the "Unprotect" and "File Reputation" sections. The Unprotect function can be integrated into the main screen instead. For file verification, referencing VirusTotal (which utilizes multiple antivirus engines) is a solid alternative. Maybe include a section at the end pointing to helpful resources on your site such as:
  • Using Windows Sandbox for suspicious files
  • Configuring UEFI settings on major manufacturers (essential for Secure Boot and BitLocker)
  • Easily setting up exceptions for unsigned executables
• "Apps | Features" Clarification: Explaining why an app needs to be removed – and ideally recommending an equivalent – would be very helpful. Why remove applications like Calculator or Winget?
• Saving User Settings: It’s good that original user settings are preserved, but highlighting this more prominently would be beneficial. An import/export feature for rules or backups could save a lot of time during reinstallation.

Post-Hardening Experience:

• Admin Privileges in Standard Accounts: Preventing apps from running in admin mode within a standard account is great for shared computers with an administrator. But for a single-user PC, it's not very practical (unless they always use an admin account). We need to assume that most users will be inconvenienced by locked functionality and may abandon the hardening process.
• Restart Notifications: Displaying a clear message when a restart is required after applying new rules is essential.
• Offline Usage: The move away from reliance on third-party software is fantastic! Specifically, ensuring informational notes and documentation are embedded directly within the application—without requiring downloads from the web—would be very beneficial.
• Standalone Installation: Some organizations and individuals disable the Windows Store entirely

Thanks again for your hard work! I hope these suggestions are helpful. Let me know what you think.

[HotCakeX]

Hi @teleportpast
I just made a big update to the documentations and readme: #831
Hopefully things are much more organized, lmk what you think.
Soon I'll address the rest of your comments as well ^^